To identify vulnerable dependencies in your repository and receive alerts about vulnerabilities, you need to enable two security features:
- The dependency graph
- Dependabot alerts
We add vulnerabilities to the GitHub Advisory Database from the following sources:
- The National Vulnerability Database
- A combination of machine learning and human review to detect vulnerabilities in public commits on GitHub
- Security advisories reported on GitHub
- The npm Security advisories database
You can connect your GitHub Enterprise Server instance to GitHub.com, then sync vulnerability data to your instance and generate Dependabot alerts in repositories with a vulnerable dependency.
After connecting your GitHub Enterprise Server instance to GitHub.com and enabling the dependency graph and Dependabot alerts for vulnerable dependencies, vulnerability data is synced from GitHub.com to your instance once every hour. You can also choose to manually sync vulnerability data at any time. No code or information about code from your GitHub Enterprise Server instance is uploaded to GitHub.com.
When your GitHub Enterprise Server instance receives information about a vulnerability, it will identify repositories in your instance that use the affected version of the dependency and generate Dependabot alerts. You can customize how you receive Dependabot alerts. For more information, see "Configuring notifications for vulnerable dependencies."
For your GitHub Enterprise Server instance to generate Dependabot alerts whenever vulnerabilities are detected on your repositories:
- You must connect your GitHub Enterprise Server instance to GitHub.com. For more information, see "Connecting GitHub Enterprise Server to GitHub Enterprise Cloud."
- You must enable the dependency graph.
Sign in to your GitHub Enterprise Server instance at
In the administrative shell, enable the dependency graph on your GitHub Enterprise Server instance:
$ ghe-config app.github.dependency-graph-enabled true
Note: For more information about enabling access to the administrative shell via SSH, see "Accessing the administrative shell (SSH)."
Apply the configuration.
Return to GitHub Enterprise Server.
Before enabling Dependabot alerts for your instance, you need to enable the dependency graph. For more information, see above.
In the top-right corner of GitHub Enterprise Server, click your profile photo, then click Enterprise settings.
In the enterprise account sidebar, click GitHub Connect.
Under "Repositories can be scanned for vulnerabilities", use the drop-down menu and select Enabled without notifications. Optionally, to enable alerts with notifications, select Enabled with notifications.
We recommend configuring Dependabot alerts without notifications for the first few days to avoid an overload of emails. After a few days, you can enable notifications to receive Dependabot alerts as usual.
You can view all vulnerabilities in your GitHub Enterprise Server instance and manually sync vulnerability data from GitHub.com to update the list.
- From an administrative account on GitHub Enterprise Server, click in the upper-right corner of any page.
- In the left sidebar, click Vulnerabilities.
- To sync vulnerability data, click Sync Vulnerabilities now.